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AN APPARATUS AND METHOD FOR 
AN ITERATIVE CRYPTOGRAPHIC BLOCK 

RELATED APPLICATION 
[001] This application is a non-provisional patent application which claims the 

benefit of priority on U.S. Provisional Application No. 60/497,690, filed August 25, 
2003, currently pending. 

FIELD OF THE INVENTION 
[002] One or more embodiments of the invention relate generally to the field of 

digital content security. More particularly, one or more of the embodiments of the 
invention relate to a method and apparatus for an iterative cryptographic block. 

BACKGROUND OF THE INVENTION 
[003] Analog communication systems are rapidly giving way to their digital 

counterparts. Digital television is currently scheduled to be available nationally. Highr 
definition television (HDTV) broadcasts have already begun in most major cities on a 
limited basis. Similarly, the explosive growth of the Internet and the World Wide Web 
have resulted in a correlative growth in the increase of downloadable audio- visual files, 
such as MP3-formatted audio files, as well as other content. 
[004] Simultaneously with, and in part due to this rapid move to digital 

communications system, there have been significant advances in digital recording 
devices. Digital versatile disk (DVD) recorders, digital VHS video cassette recorders (D- 
VHS VCR), CD-ROM recorders (e.g., CD-R and CD-RW), MP3 recording devices, and 
hard disk-based recording units are but merely representative of the digital recording 
devices that are capable of producing high quality recordings and copies thereof, without 
the generational degradation (i.e., increased degradation between successive copies) 
known in the analog counterparts. The combination of movement towards digital 
communication systems and digital recording devices poses a concern to content 
providers such as the motion picture and music industries, who are reluctant to provide 
downloadable digital content due to fears of unauthorized and uncontrolled copying of 
such digital content. 

[005] In response, there is a movement to require service providers, such as 

terrestrial broadcast, cable and direct broadcast satellite (DBS) companies, and companies 
having Internet sites which provide downloadable content, to introduce copy protection 
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schemes. These copy protection schemes may extend beyond the role of conditional 
access (CA), merely descrambling content to a CA-clear format for real-time viewing 
and/or listening, and now include constraints and conditions on the recording and 
playback. For example, currently, copying of scrambled content for subsequent 
descrambling and viewing or listening may be permitted with the appropriate 
service/content provider authorization or key provided to the digital device. 
[006] Traditional CA systems for Pay-TV originated from one-way broadcast 

systems where a back channel was not available. A cryptographic processor, such as a 
smart card, in a conditional access unit (e.g., a set-top box) is generally infused with 
information and functionality in order to automatically grant access to programs. For 
example, a smart card with a Pay-TV access control application is adapted to receive 
messages that grant certain service entitlements. If the set-top box was allowed to view 
IPPV programs, then credit and cost limit information was transmitted as well. Likewise, 
when tuning to a program, the smart card received messages that described which 
entitlements the smart card needed in order to grant access to the program. 
[007] Currently, hackers have manipulated both types of messages in order to 

view programs without paying the requisite subscription fees. Not only can these 
messages be manipulated, but the hardware can be attacked as well. For instance, 
descrambling keys in the clear that are used to descramble scrambled content can be 
copied and sent to other set-top boxes over the Internet. Such hacking is costly to both 
service providers as well as the content owners. 
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BRIEF DESCRIPTION OF THE DRAWINGS 
[008] The various embodiments of the present invention are illustrated by way 

of example, and not by way of limitation, in the figures of the accompanying drawings 
and in which: 

[009] FIG. 1 is a block diagram of a content delivery system including a digital 

device, in accordance with one embodiment. 

[0010] FIG. 2 is a block diagram illustrating a set-top box including an iterative 

cryptographic block, in accordance with one embodiment. 

[0011] FIG. 3 is a block diagram further illustrating the iterative cryptographic 

block of FIG. 2, in accordance with one embodiment. 

[0012] FIG. 4 is a block diagram illustrating a key feedback path of the iterative 

cryptographic block of FIG. 3, in accordance with one embodiment. 

[0013] FIG. 5 is a block diagram illustrating key nesting using the iterative 

cryptographic block of FIG. 3, in accordance with one embodiment. 

[0014] FIG. 6 is a block diagram illustrating a data feedback path of the iterative 

cryptographic block of FIG. 3, in accordance with one embodiment. 

[0015] FIG. 7 is a block diagram illustrating data nesting using the iterative 

cryptographic block of FIG. 3, in accordance with one embodiment. 

[0016] FIG. 8 is a block diagram illustrating a combination of the key feedback 

path and data feedback path of the iterative cryptographic block of FIG. 3, in accordance 

with one embodiment. 

[0017] FIG. 9 is a block diagram illustrating key and data nesting using the 

iterative cryptographic block of FIG. 3, in accordance with one embodiment. 
[0018] FIG. 10 is a block diagram illustrating a feed forward hash of a key using 

the iterative cryptographic block of FIG. 3, in accordance with one embodiment. 
[0019] FIG. 1 1 is a block diagram illustrating a feed forward hash of data using 

the iterative cryptographic block of FIG. 3, in accordance with one embodiment. 
[0020] FIG. 12 is a block diagram illustrating cipher block chaining using the 

iterative cryptographic of FIG. 3, in accordance with one embodiment. 
[0021] FIG. 13 is a block diagram illustrating an anti-hack circuit embodiment of 

the iterative cryptographic block of FIG. 3, in accordance with one embodiment. 
[0022] FIG. 14 is a block diagram further illustrating an anti-hack circuit 

embodiment for content key processing, in accordance with one embodiment. 
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[0023] FIG. 15 is a block diagram illustrating key reduction logic of a decryption 

key formed from the iterative cryptographic block of FIG. 3, in accordance with one 
embodiment. 

[0024] FIG. 16 is a block diagram illustrating key reduction logic decryption key 

formed from the iterative cryptographic block of FIG. 3, in accordance with one 
embodiment. 

[0025] FIG. 17 is a block diagram illustrating key reduction logic decryption key 

formed from the iterative cryptographic block of FIG. 3, in accordance with one 
embodiment. 
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DETAILED DESCRIPTION 
[0026] A method and apparatus for an iterative cryptographic block are described. 

Various embodiments relate to an apparatus, system and method for protecting the 
transfer of data. In one embodiment, such protection involves the descrambling and/or 
decrypting of digital content from one or more service providers within the digital 
devices themselves. Examples of a "service provider" include, but are not limited to a 
terrestrial broadcaster, cable operator, direct broadcast satellite (DBS) company, a 
company providing content for download via the Internet, or any similar sources of 
content. 

[0027] In the following description, certain terminology is used to describe 

features of the invention. For instance, the terms "component" or "logic" are each 
representative of hardware and/or software configured to perform one or more functions. 
Examples of "hardware" include, but are not limited or restricted to an integrated circuit 
such as a processor (e.g., microprocessor, application specific integrated circuit, a digital 
signal processor, a micro-controller, etc.), finite state machine, combinatorial logic or the 
like. The term "process block" represents hardware and/or software having a dedicated 
function, such as a finite state machine for example. 

[0028] An example of "software" includes a series of executable instructions in 

the form of an application, an applet, or even a routine. The software may be stored in 
any type of machine readable medium such as a programmable electronic circuit, a 
semiconductor memory device such as volatile memory (e.g., random access memory, 
etc.) and/or non-volatile memory (e.g., any type of read-only memory "ROM", flash 
memory), a floppy diskette, an optical disk (e.g., compact disk or digital video disc 
"DVD"), a hard drive disk, tape, or the like. 
System 

[0029] Referring to Figure 1, one embodiment of a content delivery system 100 is 

shown. Content delivery system 100 includes a digital device 110 that receives 
information including program data from one or more service providers. The program 
data may be propagated as a digital bit stream for example. Digital device 1 10 may 
operate as any number of products such as a set-top box or one or more components 
integrated into a television, computer, audio-playback device (e.g., digital radio), audio- 
recording device (e.g., MPS player), video-recording device (e.g., digital recorder), or the 
like. 
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[0030] For instance, digital device 1 10 may be configured in accordance with an 

embedded architecture, a split security architecture, or other like architecture. As an 
embedded architecture, in one embodiment, digital device 110 is implemented as a set- 
top box that comprises fixed, intemal circuitry supporting both entitlement management 
and descrambling operations. Alternatively, in accordance with a split security 
architecture embodiment, digital device 1 10 may be adapted to receive a removable smart 
card that handles entitlement management, while descrambling of digital content is 
controlled by intemal circuitry. 

[0031] Digital device 110 comprises a receiver 112, which processes the 

incoming information, extracts the program data inclusive of the digital content 
therefrom, and provides the digital content in a perceivable format (e.g., viewable and/or 
audible). The "program data" comprises any or all of the following: system information, 
entitlement control message(s), entitlement management message(s), or digital content. 
The "digital content" in the program data stream may include an image, audio, video or 
any combination thereof. The content may be in a scrambled or clear format. 
[0032] As described herein, the term "scrambled", when used to modify the terms 

"key", "content", "format" or "form" is inclusive of content or describes a format 
wherein encryption using any known encryption algorithm including, but not limited, the 
date encryption standard (DES), triple DES (3DES), advanced encryption standard (AES) 
Rivest, Shamir and Adelman (RSA) encryption or other like encryption standard, as well 
as scrambling algorithms, including conditional access (CA) common scrambling 
algorithm (CSA) (CA CS A) or other like scrambling algorithm. Likewise, the terms 
"scrambling" or "scrambled" refer to data or information that is encrypted or scrambled 
using any known conventional encryption or scrambling algorithms, as described above. 
The terms "descrambled" or "descrambling", when modifying the terms "key", "content" 
"format" or "form" refers to data or content in a format that is either decrypted or 
descrambled, such that the data or content is unobscured and available for playback in the 
clear format. 

[0033] Herein, "system information" may include information on program names, 

time of broadcast, source, and a method of retrieval and decoding, and well as copy 
management commands that provide digital receivers and other devices with information 
that will control how and when the digital content may be replayed, retransmitted and/or 
recorded. These copy management commands may also be transmitted along with an 
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entitlement control message (ECM), which is generally used to regulate access to a 
particular channel or service. An "Entitlement Management Message" (EMM) may be 
used to deliver entitlements (sometimes referred to as "privileges") to digital receiver 
111. Examples of certain entitlements may include, but are not limited to access rights or 
descrambling keys. A descrambling key is generally a code that is required by 
descrambler (decryption) logic (e.g., a cryptographic block) to recover data in the clear 
from a scrambled format based on the entitlements granted. 

[0034] As shown, when implemented as a set-top box, digital device 1 10 may be 

coupled to other components in content delivery system 100 via a transmission medium 
120. The transmission medium 120 operates to transmit program data between digital 
device 1 10 and other components in content dehvery system 100. The transmission 
medium 120 may include, but is not limited to electrical wires, optical fiber, cable, a 
wireless link established by wireless signaling circuitry, or the like. 
[0035] In one embodiment, content delivery system 100 includes an audio system 

130 coupled to transmission medium 120. A digital VCR 140, such as a D-VHS VCR, 
may also be coupled to the digital device 1 10 and other components of content delivery 
system 100 through transmission medium 120. A hard disk recording unit 150 may also 
be coupled to digital device 1 10 and other components via transmission medium 120. 
Display 160 may include a high definition television display, a monitor, or another device 
capable of processing digital video signals. Finally, a control unit 170 may be coupled to 
the transmission medium 120. Control unit 170 may be used to coordinate and control 
the operation of some or each of the components on content delivery system 100. 
[0036] The digital content of the program data may be transmitted in scrambled 

form. In one embodiment, as part of the program data, access requirements may be 
transmitted along with the scrambled content to digital device 110 (e.g., set-top box) that 
is implemented with receiver 1 12 thereby functioning as a conditional access unit. An 
"access requirement" is a restrictive parameter used to determine if digital device 1 10 
implemented with conditional access functionality, hereinafter referred to herein as the 
"conditional access unit 110," is authorized to descramble the scrambled content for 
viewing or listening purposes. For example, the access requirement may be a key needed 
to perceive (view and/or listen to) the content, a service tag associated with a given 
service provider, or even a particular descrambling software code. 
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[0037] When a scrambled program is received by conditional access unit 1 10, the 

access requirements for the program are compared to the actual entitlements assigned to 
the conditional access unit 110. In order for the conditional access unit 110 to display the 
scrambled content in clear form, in one embodiment, the access requirements associated 
with the digital content are compared to the entitlements of the conditional access unit 
1 10. The entitlements may state that conditional access unit 1 10 is entitled to 
view/playback content from a given content provider such as Home Box Office (HBO), 
for example. The entitlements may also include one or more keys needed to descramble 
the digital content. The entitlements also may define the time periods for which 
conditional access unit 1 10 may descramble the digital content. 

[0038] Thus, in one embodiment, access requirements and entitlements form a 

part of the access control system to determine whether a conditional access unit or even a 
decoder is authorized to view a particular program. It is contemplated that the description 
below focuses on mechanisms to recover audio/visual content such as television 
broadcasts, purchased movies and the like. However, it is contemplated that the 
invention is also applicable to the descrambling of audible content only (e.g., digitized 
music files). 

[0039] The access requirements and entitlements can provide consumers with a 

variety of choices for paying for the content and gaining access to the scrambled content. 
These choices may include pay per play (PPP), pay per view (PPV), impulse pay per 
view (IPPV), time based historical, pay per time (PPT). "Impulse pay per view" is a 
feature which allows purchase of PPV movies through credit that has been previously 
downloaded into the set-top box. Purchase records may be stored and forwarded by 
phone to a billing center. *Time based historical" allows access to content that was 
delivered during a past time period, such as March through December, 2003, for example. 
The access requirements and entitlements can also provide consumers with different 
options for storing the scrambled content. 

[0040] The access requirements may be delivered to the conditional access unit, 

located within digital device 1 10 or coupled thereto over transmission medium 120, using 
packet identifiers (PIDs). Each PID may contain the access requirements associated with 
a given service. The content that is delivered to the conditional access unit may also 
include a large number of PIDs, thus enabling special revenue features, technical features, 
or other special features to be performed locally. 
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[0041] Before receiving the content, the customer may be given a number of 

choices for gaining access to the digital content that is going to be stored to media. The 
customer may be required to purchase the right to access and view the content. 
Therefore, if the customer wants to record the content for later retrieval and viewing, the 
access requirements that the customer bought also need to be stored with the digital 
content. 

[0042] In addition, there may be copy-protection applied to the descrambled 

digital content (e.g., transport stream) as shown in FIG. 2. Copy-protected digital content 
will be re-scrambled across an interface interconnecting a destination interface and a 
source. The source and destination interface need to agree on the key used to re-encrypt 
this content. This copy protection key can be encrypted with the unique key associated 
with the digital device. The unique key can be received through an EMM or other 
method, e.g. factory load procedure. 

[0043] FIG. 2 is a block diagram illustrating a secure content delivery system that 

comprises a conditional access unit as a set-top box 200 adapted to operate with an 
iterative cryptographic block (ICB) 400, in accordance with one embodiment. As 
illustrated, decoder integrated circuit (IC) 300 receives scrambled content 222 from tuner 
220 that is descrambled using cryptographic block 310. In one embodiment, depending 
on the encoding of the scrambled content, once descrambled, the content is decoded using 
decode block 390 to form a clear content signal, such as, for example, a video output 
signal 260. 

[0044] However, the embodiments described herein are not limited to 

incorporation of ICB 400 within decoder IC 300, which decodes descrambled content to 
form clear content. In one embodiment, ICB 400 may be used within a cryptographic IC 
in order to reduce the cost of the cryptographic IC by removing additional blocks required 
to perform key ladder applications, such as key an data nesting, as described herein. In 
alternate embodiments, ICB 400 may be used within or performed by programmed 
cryptographic processors or cryptographic ICs or operate under the control of a state 
machine. 

[0045] In one embodiment, an embedded cryptographic CPU is programmed to 

perform the functionality of ICB 400. Accordingly, in one embodiment, ICB 400 is an 
embedded cryptographic CPU configured to perform multiple scrambling of digital 
content and to implement key ladder applications of descrambling keys and data nesting 
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used to form a final descrambling key which may be used to clear digital content. 
Furthermore, in one embodiment, ICB 400 may be used within a mating key server to 
generate known vectors into a key processing block in a receiver with a one-time 
programmable key to encrypt service keys and derivative keys to decrypt content. 
[0046] In the embodiment illustrated, clear digital output 250 may be scrambled 

and stored within hard disk 240 to prohibit clear unauthorized exposure of the digital 
content. In one embodiment, ICB 400 of decoder IC 300 stores at least one one-time 
programmable (OTP) secret key that enables the performance of key ladder decryption 
schemes in order to enable low cost converter set-top boxes, which will be required as 
cable operators convert their plants to all digital configurations. In one embodiment, an 
optional smart card 230 handles entitlement management, while descrambling of digital 
content is controlled by ICB 400. 

[0047] Representatively, smart card 230 stores one or more encrypted 

descrambling keys for descrambling incoming digital content. Smart card 230 transmits 
the descrambling key(s) in encrypted form to ICB 400. In order to protect the 
descrambling key(s), generally referred to as "DK", from being improperly extracted by 
an interloper monitoring communications between smart card 230 and ICB 400, smart 
card 230 may use an encryption key unique to decoder IC to encrypt the DK. This allows 
decoder IC to decrypt the DK in a secure manner and use the DK in a clear format to 
descramble digital content 22. 

[0048] In one embodiment, each stage of ICB 400 is controlled by main central 

processing unit (CPU) 210. In one embodiment, CPU 210 selects the internal (secret) key 
and the data (internal or external) inputs and the modes of operation provided by ICB 
400. As discussed in further detail below, each processing step provided by ICB 400 
allows secure operation through a solitary cryptographic block designed with key and 
data feedback paths, hashing and chaining modes and anti-hack circuits, as further 
illustrated with reference to FIG. 3. 

[0049] In one embodiment, descrambler IC 300 handles the secure processing of 

the descrambling keys. This descrambler IC 300 has no CPU, no firmware, and no 
software. However, by using a key feedback path, complicated key hierarchy are 
supported by ICB 400. No instructions, no code, and no software is loaded into ICB 400. 
The decryption scrambled key is performed entirely by ICB 400 being a hardware circuit 
or state machine using only a single key function. 
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[0050] One or more unique keys, generally referred to herein as "one-time 

programmable (OTP key(s))", may be programmed into a storage element such as, one or 
more key registers 250 during manufacture. For example, in one embodiment, decoder 
IC 300 is implemented with a programmable non- volatile storage element (not shown), 
such as flash. In another embodiment, decoder IC 300 is implemented with non- 
programmable, non-volatile memory that can be written only once in order to enhance 
security. As a result, there is no way to either improperly read or overwrite the OTP that 
is originally loaded into a storage element. An association between the serial number of 
set-top box 200 and the OTP loaded into decoder IC 300 of the set-top box 200 may be 
recorded. 

[0051] When set-top box 200 is manufactured and a smart card 230 is installed, 

smart card 230 can receive the OTP associated with set-top box 200 at the time of 
pairing. From then on, smart card 230 is "paired" to that particular host (e.g., set-top box 
200). Later, if smart card 230 is ever replaced or moved to a new host, smart card 230 
may be adapted to receive a unique key associated with the new host via an Entitlement 
Management Message (EMM), Of course, as an alternative, a new smart card with a 
newly programmed unique key may also be delivered to the user. 
[0052] As illustrated with reference to FIG. 3, ICB 400 includes a key feedback 

path 402, as well as the data feedback path 404, which enable the implementation of 
virtually any type of key hierarchy. As described in further detail below, iterative looping 
on the key and data allows the implementation of relatively complicated nested key and 
data hierarchies (where internally stored values are used to process subsequent values ad 
naseum). Accordingly, in one embodiment, decoder IC 300, with the use of ICB 400, 
may provide support for conditional access (CA) and digital rights management (DRM) 
methods where players in delivery systems can be authenticated into a root key or content 
key derived. As further illustrated in detail below, ICB 400 supports not only data block 
decryption, but also encryption/decryption of streams. In one embodiment, anti-hack 
circuits have been added to prevent manipulation of an implementation's key hierarchy 
by the inherently flexible design of ICB 400. 

[0053] In one embodiment, a scrambled (encrypted) descrambling (decryption) 

key from, for example, smart card 230, may be provided to external data input 422 of 
ICB 400. In one embodiment, the scrambled key is descrambled by cryptographic block 
410 using an OTP key from OTP key registers 472. In one embodiment, the descrambled 
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key is directly provided to content key processing 320 and used to directly descramble 
scrambled content 222. In another embodiment, the descrambled key is used to 
descramble one or more descrambling keys, which are received inband with scrambled 
content 222, and subsequently used for descrambling purposes. 
[0054] Representatively, descrambled key 468 is stored within internal key 

registers 470 and subsequently used to descramble scrambled keys received inband via 
external data input 422. Each received descrambled key may be scrambled using 
different public and proprietary encryption, scrambling or other like algorithms. These 
different proprietary algorithms may be considered as anti-piracy measures to invalidate 
clone hardware. Furthermore, in one embodiment, scrambled system information, such 
as, for example, copy management commands transmitted along with entitlement control 
messages (ECM) to regulate access to a particular channel service, as well as entidement 
management messages (EMM), which may be used to deliver entitlements or privileges, 
may be descrambled, or decrypted, via cryptographic block 410 and stored in clear format 
in external data out 270. 

[0055] FIG. 4 is a block diagram further illustrating key feedback path 402 of ICB 

400, in accordance with one embodiment. In one embodiment, key feedback path 402 
operates under the control of an off-chip, insecure CPU, such as, for example, CPU 210. 
As illustrated, external data input 422 receives scrambled external information 426, 
which is provided to cryptographic block 410. In one embodiment, the block 410 may be 
implemented using the advanced encryption standard (AES), triple data encryption 
standard (3DES), a digital video broadcast (DVB) common scrambling algorithm (CSA) 
(DVB CSA), a data encryption standard (DES) or the like. 

[0056] Representatively, external information 426 may include a scrambled key, 

which is provided in band with scrambled content 222. In the embodiment illustrated, at 
least one preprogrammed key, such as, for example, an OTP key is stored within key 
register 472. Representatively, when an inband scrambled key 426 is received by block 
410, key selection gate 474 provides descrambling key 476 to a key input of block 410. 
Using descrambling key 476, the received inband scrambled key is descrambled to form 
internal key 464. 

[0057] According to conventional techniques, internal key 464 may be provided 

to cryptographic block 310 in order to decrypt scrambled content 222. However, in one 
embodiment, ICB 400 includes key feedback path 402, which enables the storage of 
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descrambled internal keys 466 within internal key register 470. Hence, in the 
embodiment illustrated, iterative key looping may be performed by storing internal keys 
466 within internal key registers 470 to descramble in band received encrypted keys. 
[0058] Accordingly, as illustrated with reference to FIG. 5, a key ladder (also 

referred to herein as key nesting) may be performed as inband scrambled keys are 
descrambled to form internal keys 466, which are then used to descramble a further 
inband key 466 (466-1, . . 466-N) to form a final descrambling key 412-N, which is 
sent to content key processing 320. In contrast to conventional key nesting, or key 
ladders, which require multiple cryptographic blocks to implement such key ladders, ICB 
400, using key feedback path 402, may provide infinite key ladders in order to provide a 
final descrambling key while using a single cryptographic block, 

[0059] Accordingly, as illustrated with reference to FIG. 4, ICB 400 allows for 

internal key feedback registers 470 and 472, which allow infinite iteration or looping on 
the key value using, for example, an AES core cipher for decryption block 410. 
Representatively, feedback registers 470 allow an infinite amount of key depth without 
using an infinite amount of cryptographic blocks. Although some CA units allow 
iteration around a descrambling core, the number of iterations are fixed. A fixed number 
of iterations makes it difficult to accommodate different key management approaches and 
key hierarchies. In one embodiment, AES is used since a key size of AES matches a key 
size of the data encryption block. 

[0060] Hence, AES experiences no information loses as experienced with DES 

when a 64-bit output is used for the 56-bit key of the next processing stage wherein 8 bits 
of data are lost in a process called sparsing. Representatively, with each processing stage, 
external information 426 (426-1, . . ., 426-N) may be decrypted by any of the internal 
keys (OTP or internally stored keys). In one embodiment, internal key registers 470 can 
also be used to temporarily store decrypted keys for packages, channels or programs to 
allow for more rapid channel tuning and descrambling of a stream. 
[0061] Referring now to FIG. 6, data feedback path 404 of ICB 400 is further 

illustrated, in accordance with one embodiment. In one embodiment, data feedback path 
operates under the control of an off-chip, insecure CPU. As illustrated, internal data 
register 420 is used to store descrambled data 466 from a previous stage. Accordingly, as 
illustrated with reference to FIG. 7, data nesting may be performed using preprogrammed 
key 476 by storing decrypted data 466 from a previous stage with an internal data register 
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420. Accordingly, internal data feedback register 420 allows infinite iterative looping on 
data value of decrypted data values 412 (412-1, . . 412-N). Accordingly, inband 
received descrambling keys may be encrypted multiple times in order to enhance security 
features provided by decoder IC 300. 

[0062] Furthermore, as illustrated with reference to FIG. 8, FIG. 8 further 

illustrates key feedback path 402 and data feedback path 404, which enable ICB 400 to 
provide a combination of iterative key and data looping. Representatively, ICB 400 uses 
both internal key 470 and data feedback registers 420, which allow the looping on the 
basic AES block cipher 410. In one embodiment, the key and data looping can allow for 
secure processing of powerful key tree ladders. As known to those skilled in the art, a 
key tree ladder represents the key/data processing required to derive a content key which 
is used to descramble content. 

[0063] As described herein, the key ladder can be a hash of data representing the 

access criteria for one or more content players or groups of players. The tree ladder can 
an efficient way for a player to process the key because the player does not necessarily 
need to receive all the data from all the branches of the tree. The resulting key or hash of 
the data from a particular branch of the tree can be delivered to the player. The resulting 
root key can be a function of all of the data from all the branches thereby providing a type 
of authentication of all of the data. In one embodiment, the combination of key and data 
nesting enables mapping of most CA and DRM systems to a combination key and data 
functionality provided by ICB 400. 

[0064] Referring now to FIGS 10 and 11, embodiments of hashing and chaining 

modes of ICB 400 are illustrated. As illustrated with reference to FIG. 10, logic gate 
enable 460 is coupled to a key input of block 410 and logic gate 462. In one 
embodiment, logic gate 462 performs a logical exclusive (XOR) operation from a 
descrambling key from the key input of decrypt block 410 and a descrambled key 412 to 
form hash key value 464. Hence, in one embodiment, by providing hash key value 464, a 
final descrambling key produced by ICB 400, if accessed by a hacker, would be provided 
in a hashed configuration, which would be useless to the hacker. 

[0065] As illustrated with reference to FIG. 11, ICB 400 may be implemented to 

provide feed forward hashing of data. Representatively, gate enable logic 450 receives 
scrambled data 426 and provides its value to logic gate 452, which performs a logical 
exclusive OR (XOR) operation of the descrambled data 412 and the scrambled external 
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information 426 to perform hash data value 454. Accordingly, if a final key value 
produced by ICB 400 is accessed by a hacker, the received key value is a hashed value, 
which is of no use to a hacker, thereby ensuring the security provided by ICB 400. 
[0066] Referring to FIG. 12, an embodiment of a cipher block chaining mode 

embodiment of ICB 400 is illustrated. Representatively, internal data output register 442 
may be used to store, for example, an initialization vector (IV), which is provided to gate 
enable logic 440. The IV may be provided to logic gate 444 to perform an XOR 
operation of external information 426 that is decrypted with block 410. As known to 
those skilled in the art, cipher block chaining (CBC) is a confidential mode whose 
encryption features the combining (chaining) of the plain text blocks with previous cipher 
blocks. 

[0067] Hence, as illustrated with reference to FIG. 12, internal data output 440 

initially stores initialization vectors (IVs) and subsequently decoded cipher text from a 
previous block. Accordingly, CBC mode requires an IV to combine with the first plain 
text block. The IV need not be secret, but is generally required to be unpredictable. 
Accordingly, for security reasons, block 410 is limited to simply performing decryption 
operations. Accordingly, hackers cannot be given the ability to encrypt internal key 
values, which would potentially allow them to gain access to services for which they are 
not entitled. 

[0068] Referring now to FIG. 13, an embodiment for implementing an ti -hack 

output registers of ICB 400 is illustrated. According to this embodiment, decoder IC 300 
(FIG. 2) includes external data output 270 and content key output (not shown). In one 
embodiment, ICB 400 is configured to permute a final key value, which generates data 
sent to external data output 270. In one embodiment, the calculated key sent to content 
key output is permuted. Representatively, these permutations make the processing of the 
last stage, whether for data or key, orthogonal to process done anywhere else. 
[0069] Hence, the possibility that key processing can be hacked is reduced, while 

still providing completely flexible key and data ladder configurations. In one 
embodiment, external data output 270 allows CPU 210 (FIG. 2) to decrypt messages and 
content files. However, a security problem exists with non-fixed key ladders in that a 
hacker might redirect an internal key or data to external data output register 270. 
Unfortunately, the key delivered to this register would be correct and in the clear. Hence, 
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in one embodiment, external data output 270 uses a permuted key to prohibit internal 
keys and data from being revealed when written to external data output 270. 
[0070] Referring now to FIG. 14, an embodiment of content key processing 320 

of FIG. 3 is illustrated. In one embodiment, ICB 400 sends data to key decryption 
registers, which get matched to decrypt or encrypt selected packet identifiers. 
Representatively, decryption logic then writes the decrypted descrambling keys into odd 
and even key storage elements for decryption by cryptographic block 310. However, a 
security problem exists with non-fixed key ladders in that a hacker might redirect an 
internal key or data to the content key output register (the key delivered to this register 
would be correct). Hence, a hacker could trial this key or use the key to encrypt or 
decrypt data, such as, data sent as MPEG packets. Accordingly, in one embodiment, 
extemal data output 270 uses a permuted key 326 to prohibit manipulation of the content 
key register. 

[0071] In one embodiment, ICB 400 can support key deliveries to the following 

low level encryption algorithms, including but not limited to AES (128-bits), 3DES (112- 
bits), CSA (64-bits) and DBS (56-bits) or the like. Conventionally, a security problem 
exists with systems that allow different bit level content descrambling algorithms. A 
hacker may program the device to chose 56-bit DES instead of 128-bit AES in order to 
trial the DES key. As a result, key reduction algorithms for reducing 128-bit to 56-bit 
key sizes (and other values for different descrambling algorithms) could potentially lead 
to a key exposure problem if performed incorrectly. Generally, smaller keys are much 
more easily trialed than longer keys. Once the smaller keys are known, the hacker could 
trial for other bits in the longer key. 

[0072] Accordingly, in one embodiment, key reduction logic 330 provides a 

method which XORs all bits together to create a reduced bit key as illustrated by FIGS. 
15-17. Representatively, each of the bits of the larger key are used to create the smaller 
keys. Referring to FIG. 15, key reduction logic 320 includes a pair of logic gates to 
perform 128-bit AES key to 1 12-bit 3DES key reduction. As illustrated, final key 490 is 
split into a lower M-bits and an upper N-bits. In one embodiment, the lower M-bits are 
1 12-bits and the upper N-bits are 16-bits, which are provided to logic gate 340. 
Representatively, logic gate 340 XORs upper N-bits across lower M-bits seven times to 
produce a 1 12-bit 3DES key. 
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[0073] FIG. 16 further illustrates key reduction logic 330, configured to perform 

key reduction to provide a 64-bit DVB CSA key. Representatively, content descrambling 
key 490 is divided into lower M-bits and upper N-bits, which are combined together 
using an XOR operation by logic gate 340 to form an M-bit DVB CSA key. As 
illustrated, the DVB CSA key is a 64-bit key value. In FIG. 17, key reduction logic 330 
is configured to perform key reduction from an AES key 490 to a DES key. 
Representatively, initial key 490 is divided into lower M-bits and upper N-bits, which are 
combined by logic gate 340 to form an M-bit value. The M-bit value is then divided into 
a lower X-bits and an upper Y-bits. These values are then combined using an exclusive 
OR operation of the upper Y-bits across the lower X-bits seven times to provide a 56-bit 
DES key value. 

[0074] Accordingly, ICB 400 is a solitary block which can be iteratively used to 

implement virtually any type of conditional access or digital write management scheme. 
Accordingly, ICB 400 can eliminate the need for separable security or crypto processors 
for stand alone conditional access or copy protection. Hence, using ICB 400 
implemented with at least one OTP secret key, flexible key ladders may be managed by a 
set-top box's main CPU. While ICB 400 may be used to mate a smart card to a set-top 
box to make hacking more difficult, its true value is in stand alone security, which can 
greatly reduce cost of a set-top box by eliminating costly smart cards. Hence, ICB 400 
provides service operators security options in a content delivery system at a reduced cost 
compared to conventional set-top box devices. 

[0075] It is to be understood that even though numerous characteristics and 

advantages of various embodiments of the present invention have been set forth in the 
foregoing description, together with details of the structure and function of various 
embodiments of the invention, this disclosure is illustrative only. In some cases, certain 
subassemblies are only described in detail with one such embodiment. Nevertheless, it is 
recognized and intended that such subassemblies may be used in other embodiments of 
the invention. Changes may be made in detail, especially matters of structure and 
management of parts within the principles of the embodiments to the full extent indicated 
by the broad general meaning of the terms in which the appended claims are expressed. 
[0076] Having disclosed exemplary embodiments and the best mode, 

modifications and variations may be made to the disclosed embodiments while remaining 
within the scope of the embodiments of the invention as defined by the following claims. 
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